Follow Friday: Where Debit-Card Numbers Get Stolen

“Credit card came in the mail today #Hooray!” one woman unassumingly informed Twitter last month. “Was able to the get bank to put myself on my debit card(: like my sexy seductive pose? :),” a man asked his followers not long after. Another woman celebrated: “So proud. :) I cut up my credit card! Now to pay it off.”

With each tweet, these three also included something that most of us probably wouldn’t have: mobile-snapped photos of their debit cards, with handy 16-digit numbers included. Whoops.

Advertisement

Enter @NeedADebitCard, a new Twitter account that’s either a service for sense-deprived people, a boon for identity thieves, or sadistic public shaming, depending on your point of view. “Please quit posting pictures of your debit cards, people,” its bio implores—but the examples rounded up and retweeted in the account’s short life show that isn’t likely to happen anytime soon. Most of the offenders have since removed the photos, presumably after they saw who had retweeted them. In recent days, as @NeedADebitCard made the Web rounds, a growing mob of their Twitter comrades reminded them that such posts probably aren’t a good idea.

But how bad is it, really? How much damage can someone do with an image alone? By itself, the image does not pose a great financial threat to the debit card's owner, according to Thomas Holt, an associate professor at Michigan State University who studies privacy and identity theft. Without the CCV code on the back of the card, he explains, there’s only some risk. However, the data revealed does help a potential identity thief to build a profile of someone, by amassing such pieces of information. And the information gathered could make it easier for thieves to learn more sensitive details. (This is also why the recent LinkedIn password leak became such a worry.) And in the case of tweeted debit cards, Holt drolly suggests, “If you're posting your credit card in that public of a forum, you're probably not very secure in other places.”

Christian Seifert, the CEO of the computer-security-focused Honeynet Project, outlined how he would scam me based on information he found that I shared online. While elaborate, his scheme did seem plausible. “It depends a bit on the value of the target and the persistence of the attacker,” he said, pointing to an attack on Google that took weeks to succeed.

Like others I spoke to in their line of work, Holt and Seifert had already seen the @NeedADebitCard account when I asked them about it, and Holt said he was of two minds on it. “On the one hand, I think it's funny because people are willing to put that kind of information online,” he said. “On the other hand, I think it might be good because of the, uh, dumb behavior, for lack of a better term.” He also seemed a bit dispirited by the whole phenomenon. “There’s something unfortunate that we're now to the point where we need to do this.”